Password Management for non Elephants

Password Managers

Over the years I have used many different password managers. Being a nerd and working in I.T. I have a lot passwords to keep track of (well over 250). All unique, all complex. I don’t have the memory of an elephant so remembering all of them is out of the question. In this article I will discuss how I manage them effectively.

A long time ago I recognized the need to store passwords somewhere safe. At the time there were not many applications, if any, for storing this information. I started out using a password encrypted Excel spreadsheet. This worked out fine because I mainly needed it for work anyway.

Once I needed to manage passwords for home as well the spreadsheet solution didn’t work that well for me. There were a few password managers out then, but I wasn’t sure I trusted any of them, and didn’t want to pay what they were asking. So I did what all coders would do, I wrote my own. In comes KeySafe with RC4 encryption. At the time I was using a mix of platforms so I needed it to work across all of them (Mac, Windows, and Linux). All I had to do was copy the encrypted file between the computers. I had intended to sell it as shareware, but never did.

That worked for quite a while, but it became increasingly difficult to remember which computer had the latest encrypted file. I sometimes inadvertently replaced the most current with an older one and ended up losing a password. A lot had changed since I first wrote it and I could not get it to compile any changes without significant effort and re-writing. So I chose to look for a new alternative.

I tried several different password managers including mSevenSoftware mSecure, Acrylic Software Wallet, (OpenSource) KeyPass, and several others. There were things I liked about all of them as well as things I didn’t like. I should state that the browser’s password management feature was not an option since I also store non web based passwords.

Ultimately I chose Acrylic Software Wallet. It had excellent aesthetics and an iOS application which could sync to the desktop. It didn’t support Linux or Windows. Linux didn’t matter that much any more for me, and I thought I could make do without the Windows side since it had an iOS companion. This worked very well until July 2012 when the author announced it would no longer be developed as he was taking a job with Facebook. So the search began again.

Must have an iOS application. Which must allow a master password for unlocking and not a crappy 4 digit pin (these can be hacked inside 45 minutes).

Must have a Windows desktop application (yes I was tired of looking everything up on iOS and having to type in long complicated passwords).

Must have the ability to intelligently sync between them.

Must not be cost prohibitive once purchased for all needed platforms.

By this time I had started using LastPass as an augment to Wallet. I still maintained every password in Wallet, but used LastPass to do automatic form filling (user name / password) for web sites. The LastPass goal is to be the last password you need. Very strong encryption, and you can use it across browsers and across computers. Login once and it remembers, so the next time you don’t have to type in or copy/paste the password from a password manager. Very nice indeed. Wallet had this ability but it was only for Mac OSX so I didn’t use it.

After several email exchanges with each of the publishers and a spreadsheet showing pro’s and con’s of each password manager I chose SBSH SafeWallet. It had everything I was looking for and was cheaper than the rest. AgileBits 1Password was a close second. SafeWallet served me well, until… They announced in early 2013 they were changing how sync worked – moving the sync mechanism to their servers and disallowing the existing sync methods. While this normally wouldn’t cause me much grief, I don’t like it because SBSH is based in Tel Aviv, Israel. They say their servers will be in the United States, but who knows what they could/would do behind the scenes. I’m not saying it’s a risk. I am saying that I, personally, am not comfortable with that move. Back to the drawing board.

Since it was so recently that I moved to SafeWallet, I only chose to look at my second choice – AgileBits 1Password. I didn’t choose 1Password before because it allowed login with only a 4 digit pin, then a master password to open select items. I asked some friends that were using it how they liked it and received good feedback. I emailed their support to get a feel for the iOS app since there is no trial. I found out they now had the option to not use the 4 digit pin. They also sell bundles which reduces the overall cost. Sold!

I recently completed the transition from SafeWallet to 1Password and couldn’t be happier. It even has web browser plugins that do the form filling (username / password) just like LastPass. So I no longer need LastPass.

1Password Usage

When you launch the Mac OSX desktop application you are presented with a lock screen. You enter your master password to unlock it.

Once its unlocked you have access to all web passwords, system logins, secure notes and whatever else you’ve securely stored in it. You can manage the passwords in multiple ways. I use folders and tags, both of which are optional.

I use tags as a means to categorize and find items relating to a specific subject (ie: work, personal, career, etc). The items may be a mix of web sites, system logins, notes, etc. Click the tag and see everything related. Each item can have multiple tags if applicable, unlike folders. An item can only be in one folder.

I use folders as a means to categorize and find items similar to tags but on a more granular level (ie: work web sites, career web sites, personal web sites, finance web sites, work system logins, etc). One could argue this could be done with tags as well and not use folders. In the end it’s your choice – whatever works for you.

While using the 1Password desktop application alone and copy/pasting passwords into web login forms is fine, the browser plugin really makes this easy. This is the part that replaces LastPass for me. Install the browser plugin first, then restart your browser. When you first start the browser you will need to unlock 1Password before using it. Click the key icon and the unlock screen appears (these are all from Mac OSX Safari):

Enter your master password to unlock it. Visit a website you need to login to, click the key icon again and be presented with the choices that match. In this example I went to Google Mail and 1Password recognized three account options.

I click the one I want and it fills in the details.

It can click the sign-in / logon button for you but I choose to do that myself.

If you are creating a login for a new site you can use 1Passwords builtin password generator. It can create complex passwords with ease. Click the key icon in the browser button bar to bring up the 1Password dialog, then click the icon that looks like the dial on a safe. Adjust the parameters as necessary. Click Fill when you are satisfied and 1Password will populate any password fields on the web page you are viewing.

Once you click the login button on a web site, if it does not know the credentials for that site it will ask if you want to save the ones you entered. This prompt will be in a bar at the top of the web page you are viewing. You can alter the name it suggests, then click the Save button. If you don’t want to save it, click the X icon.

Now it will appear in the desktop application where you can tag and folder it how you like.

As a safety precaution, ALWAYS logout of any website you login to!

Now you’ve seen the Mac OSX desktop side. The Windows side is not as pretty but functionally the same. I’m told by the developer that a new version is in the works.

The iOS version works very similar. When you start you need to unlock it:

I have it set to ask for the master password in order to unlock it. 4 digit passcodes are NOT safe. DO NOT use them if you can avoid it. They can be cracked through brute force trial and error in as little as 45 minutes. To disable the 4 digit passcode, open settings inside the 1Password application and turn off the “Quick Unlock Code” option (green dot item below):

I know this sounds like an advertisement for 1Password, and it sort of is, though I get nothing in return. It is simply an outstanding product and gets my full endorsement. It is very secure, has very strong encryption, pleasing aesthetics, seamless syncing, and many other options. Now I only have to remember the password to get into it!

2 comments on “Password Management for non Elephants”

While are HQ is in Tel-Aviv are servers are in the US using AWS..
Which so many companies use.
In fact Israeli is well known for security experts and security abilities due to the military service in top secret intelligence units. We have a few people here that worked in such units including some of our founders!

We made the move since we could offer users much more:
– Faster and more secure sync.
– Lots of new features in our pipeline (such as the form filler, saving pictures and much more, remote demolition, better revision support, revoke devices and much more).
– All information is still encrypted locally, we cannot access your data even if we want.
– 95% of users issues were due to dropbox sync, as you could not support changes on multiple devices simultaneously.
– You data is still your data, it is saved on your device and your can open your account even without a data connection.
– Redesigned a re-engineered the plugins and mobile app.

And the new version is now 100% free!
I do respect your decisions as it’s your prerogative, I just wanted to give you the full pictures, so you’d understand why and get all the information.

I understand. I do trust AWS as many people and companies do. I did state the move was just not something I was not comfortable with. I never had any issues with SafeWallet sync since I’m the only one that has access and I’m not making changes to the same record on two or more devices as once. Why not give users the choice of what they want to use? Free may work for a lot of people, but I think good products are worth the price of admission. It’s going to be hard to separate yourselves from all the other freebies out there that provide no real protection. Hopefully SafeWallets new direction will be fruitful. All the best!